TLS_FAIL_ALTSUBJECT_MISMATCH = 6,
TLS_FAIL_BAD_CERTIFICATE = 7,
TLS_FAIL_SERVER_CHAIN_PROBE = 8,
- TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9
+ TLS_FAIL_DOMAIN_SUFFIX_MISMATCH = 9,
+ TLS_FAIL_SERVER_USED_CLIENT_CERT = 10
};
union tls_event_data {
unsigned int ca_cert_verify:1;
unsigned int cert_probe:1;
unsigned int server_cert_only:1;
+ unsigned int server:1;
u8 srv_cert_hash[32];
TLS_FAIL_SERVER_CHAIN_PROBE);
}
+ if (!conn->server && err_cert && preverify_ok && depth == 0 &&
+ (err_cert->ex_flags & EXFLAG_XKUSAGE) &&
+ (err_cert->ex_xkusage & XKU_SSL_CLIENT)) {
+ wpa_printf(MSG_WARNING, "TLS: Server used client certificate");
+ openssl_tls_fail_event(conn, err_cert, err, depth, buf,
+ "Server used client certificate",
+ TLS_FAIL_SERVER_USED_CLIENT_CERT);
+ preverify_ok = 0;
+ }
+
if (preverify_ok && context->event_cb != NULL)
context->event_cb(context->cb_ctx,
TLS_CERT_CHAIN_SUCCESS, NULL);
int res;
struct wpabuf *out_data;
+ conn->server = !!server;
+
/*
* Give TLS handshake data from the server (if available) to OpenSSL
* for processing.